Dec 28, 2017

Moving on from my previous post about setting up a typical Wireguard VPN connection, let’s go through how to do a chained setup. I will show how to do both the typical chained Wireguard VPN connection and the one with selective routing as described in my earlier post here

Set up details

Let us start with the typical Wireguard VPN chained connection.

Here’s how our setup will look like:

An ubuntu 16.04 (x64) VPS as our first VPN server which we will refer to as the middleman (VPN Gateway One as shown in the diagram above).

An ubuntu 16.04 (x64) VPS as our second VPN server which we will refer to as the gate (VPN Gateway Two as shown in the diagram above).

An ubuntu 16.04 (x64) computer as the client.

The internet facing interface on both VPN servers is eth0.

We will use the 10.200.200.0/24 subnet for the network between the client and the middleman.

We will use the 10.100.100.0/24 subnet for the network between the middleman and the gate.

We will use 10.200.200.1/24 as the middleman client facing interface (wg0) IP.

We will use 10.200.200.2/24 as the VPN client interface (vpn0) IP .

We will use 10.100.100.1/24 as the gate VPN interface (wg0) IP.

We will use 10.100.100.2/24 as the middleman gate facing interface (gate0) IP.

Unbound DNS resolver for added security.

Set up steps

Install Wireguard on the middleman.

Install Wireguard on the gate.

Set up a Wireguard VPN tunnel between the client and the middleman.

Set up a Wireguard VPN tunnel between the middleman and the gate.

Configure policy routing on the middleman to route traffic from the client to the gate.

Update the middleman gate facing interface (gate0) to allow all traffic from the gate to be allowed in the tunnel.

Confirm everything works as desired by doing a traceroute to the internet from the client.

1. Install Wireguard on the middleman.

I already went into the specifics of a typical Wirguard VPN setup in my previous post, so I’ll not go into the details here.

I have shared ansible scripts on Github for the automation so I’ll just run through the process here.

123456789101112131415

#Clone the repo on the clientgit clone https://github.com/iamckn/chained-wireguard-ansible
#Move into the middleman foldercd chained-wireguard-ansible/middleman/
#Edit the hosts file in that directory to change the IP to that of your middleman VPS#Begin the installation process by runningansible-playbook wireguard.yml -u root -k -i hosts
#If you're using an SSH key for authentication run this insteadansible-playbook wireguard.yml -u root -i hosts
#Give it a few minutes and the server set up will be complete.

2. Install Wireguard on the gate.

The installation process is as below.

123456789101112131415

#Clone the repo on the clientgit clone https://github.com/iamckn/chained-wireguard-ansible
#Move into the gate foldercd chained-wireguard-ansible/gate/
#Edit the hosts file in that directory to change the IP to that of your gate VPS#Begin the installation process by runningansible-playbook wireguard.yml -u root -k -i hosts
#If you're using an SSH key for authentication run this insteadansible-playbook wireguard.yml -u root -i hosts
#Give it a few minutes and the server set up will be complete.

3. Set up a Wireguard VPN tunnel between the client and the middleman.

We then set up Wireguard on our client.

We begin by installing wireguard on the client depending on what platform we’re on.

If you are on Kali Linux, you may have to install resolvconf if you don’t have it already.

Our Wireguard client config was generated during the middleman install process. The file is named wg0.conf and is in the home folder of the middleman. Use scp or whatever other method you prefer to copy it to your client.

I’ll rename mine to vpn0.conf and move it to /etc/wireguard/vpn0.conf.

5. Configure policy routing on the middleman to route traffic from the client to the gate.

We now have all the tunnels in place but traffic from the client will still go out to the internet through the middleman.

Normally all we need to do is modify our routes on the middleman to route traffic from the client to the gate. Wireguard however, using the wg-quick tool employs a variant of Rule-based routing using fwmark.

We are therefore going to configure policy routing to ensure traffic from the client is passed on to the gate by the middleman.

6. Update the middleman gate facing interface (gate0) to allow all traffic from the gate to be allowed in the tunnel.

Next we need to allow all traffic coming from the gate to be allowed through the tunnel between the middleman and the gate. This is necessary to allow internet traffic that will be passed through the tunnel. Wireguard interfaces are strict in inspecting the origin of traffic that can be allowed to participate in the encrypted tunnel.

On the middleman run the following command:

1

wg set gate0 peer <peer_public_key> allowed-ips 0.0.0.0/0

Note that the peer_public_key in the command above can be gotten by running wg show on the middleman and checking the peer key on the gate0 interface.

7. Confirm everything works as desired by doing a traceroute to the internet from the client.

Before celebration, do various tests to confirm traffic from your client is going out through the gate and not the middleman.

Below is a traceroute to 4.2.2.2 confirming my traffic passess through the middleman and goes out through the gate to the internet.

Selective Routing

What if we want to allow only certain traffic to go out to the internet through the gate and all the rest to go out through the middleman? The scenario is as below:

Let’s put an example scenario to test. We want all our internet traffic to go out through the middleman and not be forwarded to the gate. We however desire to have an exception for traffic to 4.2.2.2, which we want to go out through the gate.

The only thing we will need to do is modify the policy routes we set up on the middleman as follows: